Authenticating user with tacacs and Active directory
We have like 200 branches that we are going to have Access point just for special users. The way we have those user authenticate when trying to connect to the AP is via Tacacs, but it will be nice if those user can bee authenticate with Activate directory using Tacacs as the intermedia.
Comments
-
broc
Member Posts: 167
So... what's your question?
Do you want to know if it is possible? yes
How to do it? as you are already using tacacs, what product are you currently using?"Not everything that counts can be counted, and not everything that can be counted counts.” -
amb1s1
Member Posts: 408
When you saying product, what you mean with that? I just started as Jr engineer 2 weeks ago and the security is one of my weakest knowledge. -
broc
Member Posts: 167
You said that when your users connect to the AP, they get authenticated via tacacs. In order to do that, you need a Tacacs server somewhere in your network. Based on which server/product you are using for the authentication, I should be able to direct you on how to get it configured so that it gets it's information from AD."Not everything that counts can be counted, and not everything that can be counted counts.”
-
amb1s1
Member Posts: 408
I'm not sure because I'm not at work, but we cisco acs, but don't know what version. I would VPN in later on an find out what version and what the appliance model.
-
jason_lunde
Member Posts: 567
You can indeed do this. Basically in ACS there is a section called "external user databases" (in my version at least). If you go in there you can map you domain to a user group (we do this dynamically for some users). You want to make sure to do your group permissions correct though, so that your AP users dont have permissions on your network devices. There is some planning that needs to go into such a deployment, and make sure to test thoroughly.
-
amb1s1
Member Posts: 408
jason_lunde wrote: »You can indeed do this. Basically in ACS there is a section called "external user databases" (in my version at least). If you go in there you can map you domain to a user group (we do this dynamically for some users). You want to make sure to do your group permissions correct though, so that your AP users dont have permissions on your network devices. There is some planning that needs to go into such a deployment, and make sure to test thoroughly.
I'm using ACS 4.1 and yes I have that option for external user database. I would look around to see if I find any documentation how to set it up. Before we implement any changes we always test in 3 QA labs that we have to make sure that everything is working fine. -
broc
Member Posts: 167
Have a look at this document:
http://www.google.co.uk/url?sa=t&source=web&cd=1&sqi=2&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fapplication%2Fpdf%2Fen%2Fus%2Fguest%2Fproducts%2Fps407%2Fc2001%2Fccmigration_09186a00801085d0.pdf&rct=j&q=cisco%20ACS%20configuration%20guide&ei=Jj7wTL3nD9K7hAelkqyDDA&usg=AFQjCNH00gJchKzhiKOycqKVw6OKCDtfAQ&sig2=2yL54p-SIRnMfyVIMJfDew
Starting at page 419, let us know if you have any question, you should be fine, the configuration is quite straight forward."Not everything that counts can be counted, and not everything that can be counted counts.”
